Hackers Use Microsoft Edge to Pull Off a Full Virtual Machine Escape

As the latest Pwn2Own competition ended last week, it brought some critical security vulnerabilities to the front. On the third and last day of the hacking content, several hackers managed to hack Microsoft Edge browser and used it to escape VMware Workstation.

Microsoft Edge couldn’t survive Pwn2Own attacks, either

In a first for the competition, Chinese security firm, Qihoo 360 Security, earned $105,000 for chaining together three vulnerabilities to escape from the VMware virtual machine. “In a first for the Pwn2Own competition, they absolutely succeeded by leveraging a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape,” Zero Day Initiative (ZDI) wrote about the first ever full virtual machine escape through Microsoft Edge in a blog post.

But, they weren’t the only one to successfully attack Microsoft’s beloved Edge browser. Tencent Security had also targeted the browser on the day 1 of the competition, escaping the sandbox using a logic bug. On the last day too, Tencent Security targeted VMWare Workstation using a three-bug chain to win the Virtual Machine Escapes (Guest-to-Host) category with a VMWare Workstation exploit.

“This involved a Windows kernel UAF, a Workstation info leak, and an uninitialized buffer in Workstation to go guest-to-host,” ZDI wrote. “This category ratcheted up the difficulty even further because VMware Tools were not installed in the guest.” Tencent Team received $100,000 for the attack.

360 Security and Tencent Security – both teams managing to escape the virtual machines – grabbed first and second positions in the competition, respectively.

What’s the big deal about virtual machine escape

Virtual machines are considered critically important for the security of organizations – and individuals – since they are used to prevent others on the same server to have access to data. They are also used for content that’s not trusted. For example, when WikiLeaks started the CIA leaks, several security researchers wrote that they are testing/analyzing the material inside a virtual machine to isolate untrusted content or programs. This makes sure that even if your VM is targeted using a drive-by exploit or any other attack, your data remains secure.

This is the first year that researchers have demonstrated attacks on virtual machines, making it clear that anything connected to the internet should be considered vulnerable.

The Qihoo security team wrote that they “used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox,” along with “a Windows 10 kernel bug to escape from it and fully compromise the guest machine.”

“Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one,” Qihoo wrote. “All started from and only by a controlled a website.”

Along with these attacks, Richard Zhu (fluorescence) had also demonstrated a system-level escalation bug in Microsoft Edge. He had used two use-after-free (UAF) bugs in Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel, picking up $55,000 in winnings.

Yep, plenty of Edge bugs despite Microsoft’s claims of it being the most secure web browser. But, it wasn’t the only target. As we reported last week, security experts revealed bugs in Flash, macOS kernel, Safari, and Ubuntu among other products and platforms. For more information on these and several other hacks, visit the Zero Day Initiative.